-
Notifications
You must be signed in to change notification settings - Fork 43
Permissions
github-actions edited this page Oct 31, 2022
·
3 revisions
This module can create and use the following resources during its deployment:
Microsoft.Subscription/aliasesMicrosoft.Management/managementGroups/subscriptions-
Microsoft.Resources/deploymentsat the following scopes:- Tenant -
/ - Management Group -
Microsoft.Management/managementGroups - Subscription
- Resource Group
- Tenant -
-
Microsoft.Resources/tagsat the following scopes:- Subscription
- Resource Group
- Resource
-
Microsoft.Authorization/locksat the following scopes:- Resource Group
-
Microsoft.Authorization/roleAssignmentsat the following scopes:- Subscription
- Resource Group
- Resources
Microsoft.Resources/resourceGroupsMicrosoft.Network/virtualNetworksMicrosoft.Network/virtualNetworks/virtualNetworkPeeringsMicrosoft.Network/virtualHubs/hubVirtualNetworkConnections
The identity used must have permissions to:
-
Create Subscriptions using the
Microsoft.Subscription/aliasesresource- See documentation on this resource here in: Create Azure subscriptions programmatically
- See documentation for instructions on how to grant/assign EA roles to SPNs: Assign roles to Azure Enterprise Agreement service principal name
- See documentation on this resource here in: Create Azure subscriptions programmatically
-
Manage the Subscription's Management Group association using the
Microsoft.Management/managementGroups/subscriptionsresource- See documentation on the required permissions here in: What are Azure management groups? - Moving management groups and subscriptions
-
Note: The identity that creates the Subscription will have the RBAC
Ownerrole assigned to the Subscription by default. If you are using an existing Subscription with this module, you must ensure the identity you are using with this module hasOwnerpermissions upon that existing Subscription prior to using the module with it.
-
Note: The identity that creates the Subscription will have the RBAC
- See documentation on the required permissions here in: What are Azure management groups? - Moving management groups and subscriptions
-
Create the Subscription core resources (Resource Group, Virtual Network, Virtual Network Peerings, Resource Locks, Role Assignments)
- The default assigned RBAC
Ownerrole on the Subscription for the identity creating it will be sufficient to create the resources in the Subscription.-
Note: If you are using an existing Subscription with this module, you must ensure the identity you are using with this module has
Ownerpermissions upon that existing Subscription prior to using the module with it.
-
Note: If you are using an existing Subscription with this module, you must ensure the identity you are using with this module has
-
Create the "hub side" of the Virtual Network Peerings/Virtual WAN Hub Connections
- To create the Virtual Network Peerings or Virtual Hub Connections to the Hub Virtual Networks or Virtual WAN Hub, that is in a different Subscription, you must ensure the identity deploying this module has the
Network ContributorRBAC role assigned upon the Hub Virtual Network or Virtual WAN Hub resources, Resource Group, or Subscription.
- To create the Virtual Network Peerings or Virtual Hub Connections to the Hub Virtual Networks or Virtual WAN Hub, that is in a different Subscription, you must ensure the identity deploying this module has the
- The default assigned RBAC
This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request.
The wiki docs are located in the repository in the docs/wiki/ folder.